MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b63f1488d9a8396513a3dd2ca07b44adee4b1187dc5e6d94934ed6271e76f5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b63f1488d9a8396513a3dd2ca07b44adee4b1187dc5e6d94934ed6271e76f5d
SHA3-384 hash: 4ee75db663b1972aad7c5842f5374ccb781cf757a1e5e1502af21f6414dc12c8b280df7c8372aaef907811e426cc236b
SHA1 hash: cd3db760a1fd437744c189bca542afe8eb0b6dda
MD5 hash: c28479bce1d7cfc221be5b71bf470164
humanhash: whiskey-quiet-berlin-green
File name:c28479bc_by_Libranalysis
Download: download sample
Signature GuLoader
Create hunting rule
File size:112'360 bytes
First seen:2021-05-19 19:01:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3ad518cf51907bc8ca22f7a1354a4250 (11 x GuLoader, 2 x RemcosRAT)
ssdeep 1536:QOMGA84rLxWGqfoqAWRaL5t3H62VkT7TSp2WpkEvla:QBrLxYf2zq2VIfSNkEvla
Threatray 1'535 similar samples on MalwareBazaar
TLSH 91B3D472B6B7B835FE1880F0274C47ED82972E38C464454BDDC629186BF1A76A6243F7
Reporter Libranalysis
Tags:GuLoader


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c28479bc_by_Libranalysis
Verdict:
No threats detected
Analysis date:
2021-05-19 19:31:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5655761b-4896-40d9-8d0d-52f2ccefa8a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/158753/
Detection(s):
SecuriteInfo.com.Variant.Jaik.45934.13958.22252.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/785302
Signature
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: NanoCore
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 417702 Sample: c28479bc_by_Libranalysis Startdate: 19/05/2021 Architecture: WINDOWS Score: 100 34 Multi AV Scanner detection for domain / URL 2->34 36 Potential malicious icon found 2->36 38 Found malware configuration 2->38 40 7 other signatures 2->40 8 c28479bc_by_Libranalysis.exe 2->8         started        11 RegAsm.exe 4 2->11         started        process3 signatures4 42 Writes to foreign memory regions 8->42 44 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 8->44 46 Tries to detect Any.run 8->46 48 2 other signatures 8->48 13 RegAsm.exe 17 8->13         started        18 conhost.exe 11->18         started        process5 dnsIp6 30 wywtrwbnmhtytrebsgwtfcvzcxgjhyegvbcnmgte.ydns.eu 37.230.169.99, 2486 VOXILITYGB Netherlands 13->30 32 hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu 103.232.54.201, 49732, 80 AIMS-MY-NETAIMSDataCentreSdnBhdMY Viet Nam 13->32 26 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 13->26 dropped 28 C:\Users\user\AppData\Local\...\tmpD80F.tmp, XML 13->28 dropped 50 Uses schtasks.exe or at.exe to add and modify task schedules 13->50 52 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 13->52 54 Tries to detect Any.run 13->54 56 3 other signatures 13->56 20 schtasks.exe 1 13->20         started        22 conhost.exe 13->22         started        file7 signatures8 process9 process10 24 conhost.exe 20->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b63f1488d9a8396513a3dd2ca07b44adee4b1187dc5e6d94934ed6271e76f5d/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2021-05-19 16:31:24 UTC
AV detection:
20 of 47 (42.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fnr7csentkbzmuj2hxjmub5ujlpojmiypxc6nwkjgtwwe4phn5oq._file
Verdict:
unknown
Similar samples:
02738721df55077c4a8b8826e7cdd0243003ba4b34cb71f314ad05a29330c9c3
GuLoader
3016a6fd03e57ee760ab4c79ec8822caa4eda8c24236d7eec230f6ca6f4d785a
GuLoader
311bf44fb33aa4661e8630fcb2830f22714427133527c1768f0b0ceaad502533
GuLoader
34a666042ff3ad45f4e1e37776cc55d4f4fdd1bcd8233852839d55fc076410d1
GuLoader
6670269c08d80b6511029d06dfa07711a5e0bb1494107da5dc9d9d5661f010f3
GuLoader
8d6f73da5150cd26789a9a0e0643f69b520306680523d91cb21438ad2e6fa80c
GuLoader
b0ce84526989dd02968e8ddae780d47de367ece10dbfc9d472893531abd08825
GuLoader
c2544476ab17fd3fb816a97f08f16548a73c106cca80e1f5e185086d25a9f414
GuLoader
d5956571b9e9bc5c925d5b26a0bd0771c636bff202c0adb7d1d9ad6efe487bae
GuLoader
d75c69a49a30595964989b72499ec0e303ff42a0e2a334dda22a9cd9fd7e8ba5
GuLoader
+ 1'525 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:nanocore downloader evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210519-gkcpy4mpt2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks QEMU agent file
Guloader,Cloudeye
NanoCore
Malware Config
C2 Extraction:
http://hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu/MEKI%20NEW_rGDXhItdtA168.bin
:2486
wywtrwbnmhtytrebsgwtfcvzcxgjhyegvbcnmgte.ydns.eu:2486
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b63f1488d9a8396513a3dd2ca07b44adee4b1187dc5e6d94934ed6271e76f5d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 2b63f1488d9a8396513a3dd2ca07b44adee4b1187dc5e6d94934ed6271e76f5d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/158753/
  
URLhaus
https://urlhaus.abuse.ch/url/1256667/
  
Delivery method
Distributed via web download

Comments